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DETAILED ACTION 

1 . This action is responsive to communication: filed on 15 February 2002. 

2. Claims 1-28 are currently pending in this application. Claims 1, 1 1, 17, 27, and 28 are 
independent claims. 

Claim Rejections - 35 USC §102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another died in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language 

4. Claims 1, 5-8, 10-13, 15-17, 21-24, and 26-28, are rejected under 35 U.S.C. 102(e) as 
being anticipated by Shah et al. U.S. Patent No. 6,678,835 (hereinafter '835). 

As to independent claim 1, "A method for deploying configuration instructions to 
security devices in order to implement a security policy in a network, the method comprising 
the computer-implemented steps of:" is taught in '835 col. 1, line 60 through col. 2, line 32; 

"detecting that implementing a security policy will cause an address translation 
alteration in a packet communicated between a management source and a plurality of 
security devices for implementing the security policy on the network" is shown in 835 col. 19, 
line 50 through col. 20, line 37; 

"identifying, from among the plurality of security devices, one or more sets of security 
devices that have one or more configuration dependencies as a result of the address 
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translation alteration if the security policy is implemented" is disclosed in '835 col. 20, 
lines 37-49; 

"and sending one or more configuration instructions from the management source to 
each of the one or more sets of security devices using an order that is determined based on the 
one or more configuration dependencies, resulting in implementing the security policy on the 
network" is taught in '835 col. 20, line 47 through col. 21, line 39. 

As to dependent claim 5, "wherein: detecting that implementing the security policy will 
cause an address translation alteration between a management source and a plurality of 
security devices includes detecting that implementing the security policy will cause a natural 
address translation between the management source and one of the plurality of security 
devices" is disclosed in '835 col. 20, lines 37-49. 

As to dependent claim 6, "wherein: detecting that implementing the security policy will 
cause an address translation alteration between a management source and a plurality of 
security devices includes detecting that implementing the security policy will cause a static 
address translation between the management source and one of the plurality of security 
devices" is shown in '835 col. 20, lines 37-49. 

As to dependent claim 7, "wherein: detecting that implementing the security policy will 
cause an address translation alteration between a management source and a plurality of 
security devices includes detecting that implementing the security policy will cause a tunneling 
translation between the management source and one of the plurality of security devices" is 
disclosed in '835 col. 19, lines 51-61. 
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As to dependent claim 8, "wherein: detecting that implementing the security policy will 
cause an address translation alteration between a management source and a plurality of 
security devices includes detecting that implementing the security policy will cause a natural 
address translation; identifying one or more sets of security devices that would each have one 
or more configuration dependencies as a result of the address translation alteration includes 
identifying a first network path that interconnects the management source and a first set of the 
one or more security devices in series; and sending configuration instructions from the 
management source to one or more sets of security devices includes sending configuration 
instructions to at least some of the security devices on the first network sequentially, beginning 
with a first security device on the first network path that is ordered to be a last one of the 
security devices on the first network path to receive communications from the management 
source" is disclosed in '835 col. 20, lines 1-49. 

As to dependent claim 10, "wherein: detecting that implementing the security policy will 
cause an address translation alteration between a management source and a plurality of 
security devices includes detecting that implementing the security policy will cause a tunneling 
translation on the first network path" is disclosed in '835 col. 19, lines 51-61; 

"and identifying one or more sets of security devices that would each have one or more 
configuration dependencies as a result of the address translation alteration includes 
identifying s first network path that interconnects the management source and a first set of the 
one or more security devices in series; sending configuration instructions from the 
riianagement source to one or more sets of security devices includes seeding configuration 
instructions to one or more security devices on the first network path using the order of cither 



Application/Control Number: 10/078,061 Page 5 

Art Unit: 2134 

(i) sending configuration instructions to each security device of the first network path that is 
ordered in series between the management source and the static address translation before 
sending configuration instructions from the management source to any of the other security 
devices that are ordered in scries after the static translation or (ii) sending configuration 
instructions to all of the other security devices that are ordered in series after the static 
translation before sending configuration instructions from the management source to each 
security device that is ordered between the management source and the tunneling translation" 
is disclosed in '835 col. 20, lines 1-49. 

As to dependent claim 11, "A method for deploying configuration instructions to security 
devices in order to implement security policy in a network, the method comprising the computer- 
implemented steps of:" is taught in c 835 col. 1, line 60 through col. 2, line 32; 

"detecting that the security policy creates a change of one or more configuration 
dependencies as compared with an existing security policy, each configuration dependency 
corresponding to at least a first security device having to be configured before a second security 
device is configured in order for the first security device to receive its configuration instructions 
for implementing the security policy from a management source" is shown in '835 col 19, line 50 
through col. 20, line 49; 

"and deploying configuration instructions to one or more security devices to implement the 
security policy according to an order determined by the one or more configuration 
dependencies" is disclosed in '835 col. 20, line 47 through col. 48, line 39. 

As to dependent claim 12, "wherein deploying configuration instructions includes 
deploying, for a network path containing at least a first configuration dependency of the one or 
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more configuration dependencies, configuration instructions to a first security device of the first 
configuration dependency before deploying configuration instructions to a second security 
device of the first configuration dependency, wherein the first security device has to be 
configured before the second security device in order for the first security device to receive its 
configuration instructions for implementing the security policy from the management source" 
is disclosed in '835 col. 20, lines 1-49. 

As to dependent claim 13, "further comprising creating a schedule to implement the 
security policy to account for the change in the one or more configuration dependencies, and 
wherein deploying configuration instructions to one or more security devices includes using 
the schedule to deploy the configuration instructions" is taught in c 835 col. 10, lines 52-60. 

As to dependent claim 15, "wherein detecting that the security policy creates a change of 
one or more configuration dependencies from an existing security policy includes detecting the 
addition, deletion or modification of an address translation in a network path between the one 
or more security devices and the policy manager" is shown in '835 col. 20, lines 24-37. 

As to dependent claim 16, "further comprising detecting the addition, deletion or modification 
of the address translation selected from an address translation type consisting of a natural address 
translation type, a reverse address translation type, and a tunnel translation" is shown in '835 
col. 19, lines 51-61. 

As to independent claim 17, this claim is directed to a computer-readable medium for 
implementing the method of claims 1 and 1 1; therefore it is rejected along similar rationale. 

As to dependent claims 21, 22, 23, 24, and 26, these claims contain substantially similar 
subject matter as claims 5, 6, 7, 8, and 10; therefore they are rejected along similar rationale. 
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As to independent claim 27, this claim is directed to a computer system for implementing the 
method of claim 1; therefore it is rejected along similar rationale. 

As to independent claim 28, this claim is directed to a management device for implementing 
the method of claim 1 ; therefore it is rejected along similar rationale. 

Claim Rejections - 35 USC §103 

5 The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

6 Claims 2-4, 9, 14, 18-20, and 25 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over '835 in further view of Rothermel et al. U.S. Patent No. 6,678,827 (hereinafter 

'827). 

As to dependent claim 2, the following is not taught in '835: "wherein sending 
configuration instructions from the management source to the one or more sets of security 
devices includes sending configuration instructions to multiple sets of security devices in 
parallel, wherein each of the multiple sets of security devices includes one or more 
configuration dependencies" however '827 teaches "For example the manager device can 
distribute the template to multiple NSDs, by sending a single copy of the template to a supervisor" 
in col. 3, lines 35-40. 
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It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the teachings of '835 a method of managing policies that allow the policy setting to be 
defined in an intuitive and extensible fashion to include means to distribute the policies in 
parallel. One of ordinary skill in the art would have been motivated to perform such a 
modification because as the size of the networks increase it is important to maintain consistency 
in policy distributed (see '827 col. 2 tines 52 et seq.) "When it is necessary to configure large 
numbers of NSDs, such problems are only exacerbated. If the security policies across some or all 
of the NSDs should be consistent (e.g., multiple devices in use by a single company), the 
likelihood of mistakes increases. If the system administrator merely copies the specific security 
policy from one NSD to another, mistakes may occur in re-specifying the various NSD-specific 
configuration information. Alternately, if the system administrator attempts to re-create the 
general security policy independently on each NSD, various mistakes may occur such as 
neglecting to configure a type of service or incorrectly configuring the actions for such a type". 

As to dependent claim 3, "wherein: identifying one or more sets of security devices that 
would each have one or more configuration dependencies as a result of the address translation 
alteration includes identifying a first network path that, interconnects the management source 
and a first set of the one or more security devices in series, and a second network path that 
interconnects the management source and a second set of the one or more security devices in 
series; and sending configuration instructions to multiple sets of security devices in parallel 
includes sending configuration instructions to one or more security devices on the first network 
path and on the second network path concurrently, and independently of one another, using 
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the order determined by the one or more configuration dependencies" is disclosed in c 835 col. 
20, lines 1-49; 

As to dependent claim 4, "wherein: identifying one or more sets of security devices that 
would each have one or more configuration dependencies as a result of the address translation 
alteration includes identifying a first network path that interconnects the management source 
and a first set of the one or more security devices in series, and a second network path that 
interconnects the management source and a second set of the one or more security devices 
in scries" is shown in c 835 col. 19, line 50 through col. 20, line 37; 

"sending configuration instructions from the management source to each of the one or 
more sets of security devices includes sending configuration instructions to one or more 
security devices on the first network path and on the second network path in parallel" is 
disclosed in '827 col. 3, lines 35-40 

"and sending configuration instructions to one or more security devices on the first 
network path includes sending configuration instructions to at least some of the security 
devices on the first network path sequentially, beginning with a first security device on the 
first network path that is ordered to be a last one of the security devices on the first network 
path to receive communications from the management source" is taught in '835 col. 20, line 47 
through col. 21, line 39. 

As to dependent claim 9,'Svherein: detecting that implementing the security policy will 
cause an address translation alteration between a management source and a plurality of 
security devices includes detecting that implementing the security policy will cause a static 
address translation on the first network path; and identifying one or more sets of security devices that 
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would each have one or more configuration dependencies as a result of the address translation alteration 
includes identifying a first network path that interconnects the management source and a first set of 
the one or more security devices in series; sending configuration instructions from the 
management source to one or more sets of security devices includes sending configuration 
instructions to one or more security devices on the first network path using the order of either (i) 
sending configuration instructions to each security device of the first network path that is 
ordered in scries between the management source and the static address translation 
before sending configuration instructions from the management source to any of the 
other security devices that are ordered in series after the static address translation" is 
disclosed in '835 col. 20, lines 37-49; 

"or (ii) sending configuration instructions to all of the other security devices that 
are ordered in series after the static address translation before sending configuration 
instructions from the management source to each security device that is ordered 
between the management source and the static address translation" is shown in 827 col. 5, lines 2- 
13 "the manager device can distribute the template to multiple NSDs by sending a single copy of 
the template to a supervisor device associated with the NSDs and by then having the supervisor 
device update each of the NSDs with a copy of the template. Each of the NSD template copies 
can then be configured with NSD-specific information from one or more of a variety of sources, 
such as by the manager device, by a local user such as a system administrator, or automatically 
such as with DNS information. In particular, aliases in the template copy on a particular NSD 
can be replaced with information about the specific corresponding devices that are protected by 
the NSD, and NSD-specific access information can also be specified. For example, an alias for 
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an HTTP server can be replaced with the specific network address and name of the actual HTTP 
server". 

As to dependent claim 14, "wherein deploying configuration instructions induces 
deploying in parallel the configuration instructions to each of the first security devices in the 
one or more configuration dependencies" is taught in '827 col. 3, lines 35-40. 

As to dependent claim 18, "wherein instructions for sending one or more configuration 
instructions from the management source to each of the one or more sets of security devices 
include instructions for sending configuration instructions to multiple sets of security devices 
in parallel, wherein each of the multiple sets of security devices includes one or more 
configuration dependencies" is taught in '827 col. 3, lines 35-40. 

As to dependent claim 19, "wherein: instructions for identifying one or more sets of 
security devices that would each have one or more configuration dependencies as a result of 
the address translation alteration include instructions for identifying a first network path that 
interconnects the management source and a first set of the one or more security devices in 
series, and a second network path that interconnects the management source and a second 
set of the one or more security devices in series" is disclosed in '835 col. 20, lines 37-49; 

"and instructions for sending one or more configuration instructions to multiple sets of 
security devices in parallel include instructions for sending configuration instructions to one or 
more security devices on the first network path and on the second network path concurrently, 
and independently of one another" is disclosed in '827 col. 3 3 lines 35-40. 

As to dependent claim 20, "wherein: instructions for identifying one or more sets of 
security devices that would each have one or more configuration dependencies as a result 
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of the address translation alteration include instructions for identifying a first network 
pat h that interconnects the management source and a first set of the one or more security 
devices in series, and a second network path that interconnects the management source and a 
second set of the one or more security devices in series" is disclosed in '835 col. 20, lines 37- 

49; 

"instructions for sending one or more configuration instructions from the 
management source to each of the one or more sets of security devices 1 include sending 
configuration instructions to one or more security devices on the first network path and on 
the second network path in parallel" " is disclosed in '827 col, 3, lines 35-40; 

"including for sending configuration instructions to atleast some of the security devices 
on the first network path sequentially, beginning with a first security device on the first 
network path that is ordered to be a last one of the security devices on the first network 
path to receive communications from the management source" is taught in '835 col. 20, line 47 
through col. 21, line 39. 

As to dependent claim 25, this claim contains substantially similar subject matter as claim 9; 
therefore they are rejected along similar rationale. 

Conclusion 
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5. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ellen C Tran whose telephone number is 
(571) 272-3842. The examiner can normally be reached from 6:30 am to 3:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory A Morse can be reached on (571) 272-3838. The fax phone number for the 
organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Ellen Tran 
Patent Examiner 
Technology Center 2134 
27 October 2005 
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